This update has been rated as having moderate security impact by the RedHat Security Response Team.

Description

JBoss Enterprise Application Platform is the market leading platform forinnovative and scalable Java applications; integrating the JBossApplication Server, with JBoss Hibernate and JBoss Seam into a complete,simple enterprise solution.

This release of JBEAP for Red Hat Enterprise Linux 5 serves as areplacement to JBEAP 4.3.0.CP06.

These updated packages include bug fixes and enhancements which aredetailed in the Release Notes, available shortly from:http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/

The following security issues are also fixed with this release:

A missing check for the recommended minimum length of the truncated form ofHMAC-based XML signatures was found in xml-security. An attacker could usethis flaw to create a specially-crafted XML file that forges an XMLsignature, allowing the attacker to bypass authentication that is based onthe XML Signature specification. (CVE-2009-0217)

Swatej Kumar discovered cross-site scripting (XSS) flaws in the JBossApplication Server Web Console. An attacker could use these flaws topresent misleading data to an authenticated user, or execute arbitraryscripting code in the context of the authenticated user's browser session.(CVE-2009-2405)

A flaw was found in the way the Apache Xerces2 Java Parser processed theSYSTEM identifier in DTDs. A remote attacker could provide aspecially-crafted XML file, which once parsed by an application using theApache Xerces2 Java Parser, would lead to a denial of service (applicationhang due to excessive CPU use). (CVE-2009-2625)

An information leak flaw was found in the twiddle command line client. TheJMX password was logged in plain text to "twiddle.log". (CVE-2009-3554)

An XSS flaw was found in the JMX Console. An attacker could use this flawto present misleading data to an authenticated user, or execute arbitraryscripting code in the context of the authenticated user's browser session.(CVE-2009-1380)

Warning: Before applying this update, please backup the JBEAP"server/[configuration]/deploy/" directory, and any other customizedconfiguration files.

All users of JBEAP 4.3 on Red Hat Enterprise Linux 5 are advised to upgradeto these updated packages.

Solution

Before applying this update, make sure that all previously-releasederrata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to usethe Red Hat Network to apply this update are available athttp://kbase.redhat.com/faq/docs/DOC-11259